WordPress redirect all HTTPS to HTTP

2019-01-15 04:39发布

问题:

We have a WordPress site, and used to have an SSL certificate. The site used to be all HTTPS, and now we don't need the SSL anymore so we let it expire.

We've already changed the Site Address and WordPress Address in the admin panel to be http://example.com.

We have several links out in the wild that link back to us with https:// and if the user accesses the site with https:// the site breaks or the user gets a warning message in their browser.

Bottom line, we need to redirect all https:// traffic to http://.

I tried couple of plugins (no luck):

  • https://wordpress.org/plugins/force-non-ssl/
  • https://wordpress.org/plugins/wp-force-http/

and even changed the .htaccess file (still no luck)

<IfModule mod_rewrite.c>
RewriteEngine On

RewriteCond %{SERVER_PORT} ^443$
RewriteRule ^(.*)$ http://%{HTTP_HOST}/$1 [R=301,L]

RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

Not sure what else I need to do.

回答1:

The problem here lies with the fact that before Apache or WordPress come in to play, the browser needs to establish a connection with the server over HTTPS by connecting, performing an SSL handshake, exchanging (and verifying) certificates, and only after all that is done, will the browser issue the HTTP request that tells the server what resources it is looking for.

Because of that, no .htaccess or WordPress plugin is going to be able to redirect the user without them establishing a secure session.

Of course if you install a self-signed certificate, the user is going to be presented with a warning before any of this happens. If you by chance (which doesn't seem to be the cast) had been sending Strict Transport Security headers over https, then previous visitors' browsers may not even allow them to connect over HTTP.

If you want to redirect HTTPS traffic to HTTP, unfortunately you are going to have to acquire a valid certificate and redirect using .htaccess or some PHP code as you are.

If you're looking for certificates that are trusted by a majority of browsers without paying, you can get a free certificate from Let's Encrypt.

Bottom line, if you want to seamlessly redirect HTTPS traffic to HTTP without any warning messages, you need to install another SSL certificate from a trusted CA.



回答2:

Here is an alternative solution you can use if you don't want to edit .htaccess:

add_action( 'template_redirect', 'nonhttps_template_redirect', 1 );

function nonhttps_template_redirect() {

    if ( is_ssl() && !is_admin() ) {

        if ( 0 === strpos( $_SERVER['REQUEST_URI'], 'http' ) ) {

            wp_redirect( preg_replace( '|^https://|', 'http://', $_SERVER['REQUEST_URI'] ), 301 );

            exit();

        } else {

            wp_redirect( 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'], 301 );

            exit();

        }

    }

}

You can place this at the bottom of your theme functions.php



回答3:

Expanding on @HigherCoding 's answer and @MrWhite 's comment, to get a PHP function to do this on a site where the https port exists but the ssl certification is invalid, expired or non-existent:

function shapeSpace_check_https() { 
if ((!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') || $_SERVER['SERVER_PORT'] == 443) { 
    return true; 
}
    return false;
}


function bhww_ssl_template_redirect() {
if ( shapeSpace_check_https() ) {
    if ( 0 === strpos( $_SERVER['REQUEST_URI'], 'http' ) ) {    
        wp_redirect( preg_replace( '|^(https://)|', 'http://', $_SERVER['REQUEST_URI'] ), 301 );
        exit(); 
    } else {
        wp_redirect( 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'], 301 );
        exit();     
    }
}   
}

add_action( 'template_redirect', 'bhww_ssl_template_redirect');

This worked on my site in functions.php and was a combination of these two sources: Source 1 and Source 2.

As @drew010 pointed out - this will still not prevent a scary prompt for users who type in https as part of your URL. But it will redirect them to http if they happen to click through the scary prompt, which is unlikely. It seems that getting an SSL certificate is likely the best option for this reason, for general security and for increased Google ranking now & in the future.



回答4:

This disables https completely


    <IfModule mod_rewrite.c> 
        RewriteEngine On
        RewriteCond %{HTTPS} off
    </IfModule>

This leaves The HTTPS enabled and then uses server VARIABLES to redirect all pages to HTTP:


    <IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteCond %{HTTPS} on
        RewriteRule .* http://%{HTTP_HOST}%{REQUEST_URI}
    </IfModule>

Hope this helps you....